I have been successfully using this setup in a prod environment for a over 6 months.
Works as expected (OpenSSH-4.7p1, OpenSSH-5.0p1 and OpenSSH-5.1p1) under Solaris
and Linux with local and LDAP (pam_ldap) authentication.

The configuration takes advantage of (slightly modified) recently implemented OpenSSH 'Match group'
feature introduced in OpenSSH-4.3p2 and allows administrators to enforce granular controls of DST IP:PORT
combos to which user/groups can open SSH tunnels. It also uses Sleep Dummy Shell (sleepshell)
(available at [url]http://www.mariovaldez.net/software/sleepshell/[/url]) - simple do-nothing, sleep-forever
program that is used as a login shell to avoid full-blown shell assignment.

A patch for OpenSSH that allows users to be in multiple "Match group" blocks and allows multiple
PermitOpen statements per "Match group" block included bellow.